Enterprise security moves to the edge
In the name of security, enterprises sometimes engage in a lot of inefficient and convoluted network design. Enterprise resources inside the data center, protected from attack by a strong perimeter at the edge of the network, has been the conventional design for some time. The rise of cloud services and hybrid cloud design, along with the shift to work from home, has made this view obsolete. Enterprises must now manage security out at the edge itself.
Hybrid architecture means that users and software are frequently connecting in and out of the data center. Sometimes they connect from one cloud service to another without needing to connect to the data center. One approach to this problem is a complete architecting of enterprise security.
Modern architectural approaches to edge security propose a pair of strategic shifts: to a new security model called secure access service edge (SASE) and a network management tactic called software-defined wide-area networking (SD-WAN). SASE and SD-WAN provide a higher degree of clarity and control around the management of network traffic and content. But they require significant commitments, including a well-architected WAN, that organizations need to evaluate based on their needs and their readiness.
SASE, a term coined by Gartner, redefines the structure of an organization's IT universe. Instead of the data center being at the center of that universe, fanning out connections to the cloud and business partners, SASE proposes putting a secure network services provider (such as Zscaler, Cloudflare, or Netskope) at the center of the IT network infrastructure. This essentially turns the network inside out, making the data center just another endpoint in the network cloud core.
Please read: The edge is on your mango: Energy harvesting and IoT
Users and services making connections through the network must use either IPsec tunnels through the secure network provider or agent software from the provider to authenticate and perform other security functions. In this new model, the interconnect edge network becomes the new cloud. Gartner calls this vision of network-based applications, protected by brokers sensitive to identity and context, zero trust network access (ZTNA).
SD-WAN decouples routing decisions from networking hardware and the physical network. This lets customers set up secure regional zones and direct that traffic where it needs to go based on automated policies for security, cost, performance, and other network conditions in real time.
Edge security challenges
In a modern, hybrid cloud, edge access can come from any type of device on the network, anytime, anywhere by anyone. That means IoT sensors, phones, laptops, digital signage, security cameras, smart watches―you name it. Analyzing all of the characteristics from each connection to determine the risk and then what actions or restrictions to take requires a significant level of intelligence.
The profiling of access risks isn't performed just once at the initial point of access―it needs to be checked continually throughout the life of the connection. The level of risk can change, depending on the user's behavior and any other characteristics that shift during the course of a connection. The initial profiling and the ongoing profiling provide full line-of-sight visibility into what the user is doing and allows for adjustments as the user works.
By moving security evaluations and decisions out into the cloud, the decisions can be made before anything is accessed, and all of the decisions between any endpoints can be considered in the same process.
Please read: How the edge is reshaping healthcare
This changes the way companies perform networking and security. The SASE model puts critical access decisions at the endpoint device and the point-of-presence touchpoint on the network cloud. Once the endpoint is allowed entry to the interconnected mesh, other decisions can be made about routing within the cloud and other particulars of the connection.
As traffic moves through the mesh, an organization can route pieces of it based on the content's priority, source, destination, and other attributes. SASE, combined with SD-WAN, offers a high level of control and availability. Just as important, it gives IT visibility into the traffic that's being moved. From a security point of view, IT can apply sophisticated rules and automation that authorizes and blocks certain pathways. For example, traffic with a credit card number in it can be allowed to follow certain paths in the mesh but can exit only in certain preapproved places. IT can exercise this level of control from Layer 3 in the network protocol stack all the way up to the application level.
SASE also eliminates needless connections through the data center between entities outside of it. The point of these connections is to perform security checks, but SASE makes the process simpler and more efficient by performing the checks outside.
Shifting to an SD-WAN/SASE model
How cumbersome will it be to shift to an SD-WAN/SASE/ZTNA model for edge security? That depends on many factors, including the maturity of a company's WAN infrastructure and the organization's ability to shape its IT culture to a new way of doing networking and security.
If the company has a well-designed WAN, it will take some minor adjustments―perhaps increasing bandwidth on certain links or eliminating links that are no longer needed. It will be a much shorter journey to edge security.
But if a WAN is immature, the journey will be longer. An extreme example of an immature network is one that is big and flat with a single IP address space and all traffic can travel anywhere. If there's weak segmentation and insufficient traffic inspection, it will require a full reengineering of the network architecture to provide solid protection for an ever-increasing number of nodes connecting to outside devices.
The cultural aspect can be even more challenging. Criss-crossing networking and security functions inside an organization forces teams to work together more closely, determine roles and responsibilities, and form a series of best practices going forward. This can be difficult for organizations with entrenched and siloed cultures.
As companies build out their edge development strategies, they need to bring security into the mix. A planning process should determine how much of a lift it would be to shift to a new networking/security model, how the organization can integrate new security tools, and how all appropriate stakeholders can focus on the common goal of edge security.
Starting the journey
It can be a confusing process, but there are steps organizations can take. As the edge increasingly becomes a critical part of an organization's network, it will become inherently more complex and less secure unless changes are made. Organizations need to get ready for a new world of connectivity, information, and scalability. Now is the time to start the journey.
Putting a secure network services provider at the center of the IT network infrastructure essentially turns the network inside out, making the data center just another endpoint in the network cloud core.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.